pfSense multi-wan Bridge, NAT, Load balancing and CARP

  • Context

    I currently have :

    • 1 pfSense 2.0.2 router (on a Firebox X-Peak X5000)
    • 2 WAN
    • 1 LAN
    • 3 Servers

    My interfaces

    • WAN1 68.XX.XXX.98 to 69.XX.XXX.102
    • WAN2 65.XXX.XXX.58 to 66.XXX.XXX.62
    • LAN 192.168.1.XXX
    • DMZ

    My router is configured like this :

    • Load balancing with a Gateway group based on this documentation.
    • NAT
    • Rules to LAN servers
    • Bridge between WAN2 and DMZ (with external IPs on one DMZ server) - but can't communicate between this server and other servers on LAN passing by external IP address. With a custom route configuration I've been able to handle requests from LAN to server on DMZ, but I don't like doing it like this.

    My servers are using local IP addresses 192.168.1.XXX, so the same for my computers.

    Expecting

    I would like to do two things :

    1 Bridge the two WANs with a DMZ and LAN behind NAT

    I want the possibility to attribute external IP addresses to servers, and possibility to mix IPs to same server from both WANs. I would also like to be able to communicate with servers from the LAN example :

    192.168.1.100 <--> http://68.XX.XXX.99
    

    Also being able to communicate from server to another server example:

    65.XXX.XXX.59 <--> http://68.XX.XXX.99
    
    • Will I need to dedicate one external IP address for computers on LAN behind NAT?
    • Will I be able to keep the load-balacing working for the NAT?

    Note : I would like to avoid one-to-one NAT, having local IP addresses on server complicate virtual hosting configuration so I prefer having external addresses.

    2 Router hardware redondancy (CARP)

    I have one more Firebox X-Peak X5000 identical, and would like to put it as a backup, if the first one fail, the second could take over without (or almost) loosing network (i.e., requests from outside to server must work, also from LAN and servers to Internet).

    I've read this documentation, but I have no idea if it could work with my configuration (Bridge + NAT + Load balancing)

  • For the multi-wan bridge + NAT + load balancing, it can be setup as follow :

    1 Create a DMZ interface

    • IPv4 Configuration Type : None

    2 Create a bridge

    • Interfaces
    • Assign
    • Bridges
    • Add
    • Select WAN1, WAN2 and DMZ

    3 Firewall rules

    Unblock necessary ports and allow them in the appropriate WAN :

    • Source : *
    • Port : *
    • Destination : External IP address

    With that configuration, servers on the DMZ can now work with public IP addresses. The only drawback so far is that I can't access hosts on DMZ from LAN.

License under CC-BY-SA with attribution


Content dated before 7/24/2021 11:53 AM